framework-mcp 1.5.3 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/commands/speckit.analyze.md +184 -0
- package/.claude/commands/speckit.checklist.md +294 -0
- package/.claude/commands/speckit.clarify.md +181 -0
- package/.claude/commands/speckit.constitution.md +82 -0
- package/.claude/commands/speckit.implement.md +135 -0
- package/.claude/commands/speckit.plan.md +89 -0
- package/.claude/commands/speckit.specify.md +258 -0
- package/.claude/commands/speckit.tasks.md +137 -0
- package/.claude/commands/speckit.taskstoissues.md +30 -0
- package/.do/app.yaml +1 -1
- package/.github/dependabot.yml +15 -0
- package/.github/workflows/ci.yml +19 -1
- package/.specify/memory/constitution.md +50 -0
- package/.specify/scripts/bash/check-prerequisites.sh +166 -0
- package/.specify/scripts/bash/common.sh +156 -0
- package/.specify/scripts/bash/create-new-feature.sh +297 -0
- package/.specify/scripts/bash/setup-plan.sh +61 -0
- package/.specify/scripts/bash/update-agent-context.sh +799 -0
- package/.specify/templates/agent-file-template.md +28 -0
- package/.specify/templates/checklist-template.md +40 -0
- package/.specify/templates/plan-template.md +104 -0
- package/.specify/templates/spec-template.md +115 -0
- package/.specify/templates/tasks-template.md +251 -0
- package/README.md +84 -435
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +7295 -2700
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.d.ts +2 -0
- package/dist/interfaces/http/http-server.d.ts.map +1 -1
- package/dist/interfaces/http/http-server.js +95 -3
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/dist/shared/types.d.ts +85 -2
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js +132 -1
- package/dist/shared/types.js.map +1 -1
- package/package.json +7 -4
- package/scripts/standardize-prompts.js +325 -0
- package/scripts/validate-capability-prompts.js +110 -0
- package/src/core/safeguard-manager.ts +12376 -2586
- package/src/interfaces/http/http-server.ts +109 -4
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +268 -2
- package/swagger.json +56 -36
- package/CAPABILITY_TRANSFORMATION_SUMMARY.md +0 -158
- package/CIS_CONTROLS_IMPLEMENTATION_PLAN.md +0 -220
- package/COPILOT_INTEGRATION.md +0 -322
- package/DAYS_5_6_COMPLETION_SUMMARY.md +0 -178
- package/DEPLOYMENT_GUIDE.md +0 -334
- package/DEPLOYMENT_SUMMARY_v1.1.3.md +0 -211
- package/MCP_INTEGRATION_GUIDE.md +0 -285
- package/MIGRATION_GUIDE_v1.4.0.md +0 -190
- package/RELEASE_NOTES_v1.1.3.md +0 -321
- package/RELEASE_NOTES_v1.2.0.md +0 -396
- package/RELEASE_NOTES_v1.3.7.md +0 -275
- package/RELEASE_NOTES_v1.4.0.md +0 -178
- package/SAFEGUARDS_VERIFICATION_LOG.md +0 -157
- package/coordinator-bot-compact.txt +0 -33
- package/coordinator-bot-system-prompt.md +0 -192
- package/docs/installation.md +0 -71
- package/scripts/analyze-data-structure.cjs +0 -74
- package/scripts/clean-safeguards-data.cjs +0 -60
- package/scripts/comprehensive-validation.cjs +0 -176
- package/scripts/count-safeguards.cjs +0 -89
- package/scripts/format-safeguards-proper.cjs +0 -44
- package/scripts/validate-formatted-data.cjs +0 -88
- package/test_capability_integration.js +0 -73
- package/test_comprehensive_scenarios.js +0 -192
- package/test_enhanced_detection.js +0 -74
- package/test_integrated_validation.js +0 -112
- package/test_language_update.js +0 -101
- package/test_live_validation.json +0 -12
- package/test_performance_monitoring.js +0 -124
- package/test_runner_automated.js +0 -156
- package/test_suite_comprehensive.js +0 -218
|
@@ -1,211 +0,0 @@
|
|
|
1
|
-
# Framework MCP v1.1.3 - Deployment Summary
|
|
2
|
-
|
|
3
|
-
## 🚀 Release Completion Status: ✅ COMPLETE
|
|
4
|
-
|
|
5
|
-
**Version**: 1.1.3
|
|
6
|
-
**Release Date**: August 2025
|
|
7
|
-
**Deployment Status**: Production Ready
|
|
8
|
-
**Build Status**: ✅ Successful
|
|
9
|
-
|
|
10
|
-
---
|
|
11
|
-
|
|
12
|
-
## 📋 Task Completion Summary
|
|
13
|
-
|
|
14
|
-
### ✅ **All 8 Tasks Complete**
|
|
15
|
-
|
|
16
|
-
| Task | Status | Achievement |
|
|
17
|
-
|------|--------|-------------|
|
|
18
|
-
| **1. Integrate capability-focused analysis** | ✅ Complete | Core analysis engine transformed from compliance to capability assessment |
|
|
19
|
-
| **2. Update domain validation** | ✅ Complete | Auto-downgrade logic implemented with tool type validation |
|
|
20
|
-
| **3. Enhance tool type detection** | ✅ Complete | 15+ specialized detectors with weighted scoring and context bonuses |
|
|
21
|
-
| **4. Test integrated system** | ✅ Complete | Domain validation scenarios validated with comprehensive testing |
|
|
22
|
-
| **5. Update user-facing language** | ✅ Complete | All interfaces converted to capability-focused terminology |
|
|
23
|
-
| **6. Create comprehensive test suite** | ✅ Complete | 10-scenario test suite with 100% expected behavior validation |
|
|
24
|
-
| **7. Performance optimization** | ✅ Complete | 95% faster requests, intelligent caching, production-ready error handling |
|
|
25
|
-
| **8. Documentation & v1.1.3 release** | ✅ Complete | Updated README, package.json, CLAUDE.md, comprehensive release notes |
|
|
26
|
-
|
|
27
|
-
---
|
|
28
|
-
|
|
29
|
-
## 📊 Transformation Results
|
|
30
|
-
|
|
31
|
-
### **Paradigm Achievement**: ✅ Complete
|
|
32
|
-
- **FROM**: "How much compliance coverage does this vendor provide?"
|
|
33
|
-
- **TO**: "What capability role does this vendor tool play?"
|
|
34
|
-
|
|
35
|
-
### **Technical Achievement**: ✅ Production Ready
|
|
36
|
-
- **95% Performance Improvement**: Intelligent caching for repeated requests
|
|
37
|
-
- **Domain Validation**: Prevents inappropriate capability claims
|
|
38
|
-
- **Auto-downgrade Protection**: FULL/PARTIAL → FACILITATES for domain mismatches
|
|
39
|
-
- **Evidence-Based Assessment**: Comprehensive capability role determination
|
|
40
|
-
|
|
41
|
-
### **User Experience Achievement**: ✅ Transformed
|
|
42
|
-
- **Capability-focused language** across all user interfaces
|
|
43
|
-
- **Clear role definitions** with domain requirements
|
|
44
|
-
- **Actionable error messages** with specific guidance
|
|
45
|
-
- **Production-friendly feedback** with detailed reasoning
|
|
46
|
-
|
|
47
|
-
---
|
|
48
|
-
|
|
49
|
-
## 🔧 Deployment Artifacts
|
|
50
|
-
|
|
51
|
-
### **Code Changes**
|
|
52
|
-
- ✅ **`src/index.ts`**: Core transformation complete with performance optimizations
|
|
53
|
-
- ✅ **`package.json`**: Version 1.1.3 with capability-focused description
|
|
54
|
-
- ✅ **`README.md`**: Comprehensive capability role documentation
|
|
55
|
-
- ✅ **`CLAUDE.md`**: Updated project context with v1.1.3 enhancements
|
|
56
|
-
|
|
57
|
-
### **Documentation**
|
|
58
|
-
- ✅ **`RELEASE_NOTES_v1.1.3.md`**: Comprehensive release documentation
|
|
59
|
-
- ✅ **`DEPLOYMENT_SUMMARY_v1.1.3.md`**: This deployment status document
|
|
60
|
-
- ✅ **Previous summaries**: `DAYS_5_6_COMPLETION_SUMMARY.md` retained for history
|
|
61
|
-
|
|
62
|
-
### **Test Framework**
|
|
63
|
-
- ✅ **`test_suite_comprehensive.js`**: 10-scenario validation framework
|
|
64
|
-
- ✅ **`test_runner_automated.js`**: Automated CI/CD ready test framework
|
|
65
|
-
- ✅ **`test_performance_monitoring.js`**: Performance validation documentation
|
|
66
|
-
- ✅ **`test_capability_integration.js`**: Integration testing validation
|
|
67
|
-
|
|
68
|
-
### **Build Verification**
|
|
69
|
-
- ✅ **TypeScript Compilation**: Clean build with no errors
|
|
70
|
-
- ✅ **Dependency Resolution**: All packages compatible
|
|
71
|
-
- ✅ **Performance Optimizations**: Caching and monitoring active
|
|
72
|
-
|
|
73
|
-
---
|
|
74
|
-
|
|
75
|
-
## 🎯 Production Deployment Readiness
|
|
76
|
-
|
|
77
|
-
### **Performance Metrics**
|
|
78
|
-
| Metric | Status | Result |
|
|
79
|
-
|--------|--------|--------|
|
|
80
|
-
| **Build Time** | ✅ Fast | <5 seconds clean build |
|
|
81
|
-
| **Cache Performance** | ✅ Optimized | 95% faster repeated requests |
|
|
82
|
-
| **Memory Management** | ✅ Stable | Automatic cleanup prevents leaks |
|
|
83
|
-
| **Error Handling** | ✅ Production-friendly | Actionable user guidance |
|
|
84
|
-
|
|
85
|
-
### **Quality Assurance**
|
|
86
|
-
| Area | Status | Coverage |
|
|
87
|
-
|------|--------|----------|
|
|
88
|
-
| **Test Coverage** | ✅ Complete | 100% validation logic coverage |
|
|
89
|
-
| **Domain Validation** | ✅ Verified | All auto-downgrade scenarios tested |
|
|
90
|
-
| **User Experience** | ✅ Transformed | Capability-focused across all interfaces |
|
|
91
|
-
| **Documentation** | ✅ Comprehensive | Complete user and developer guides |
|
|
92
|
-
|
|
93
|
-
### **Security & Validation**
|
|
94
|
-
| Component | Status | Implementation |
|
|
95
|
-
|-----------|--------|----------------|
|
|
96
|
-
| **Input Validation** | ✅ Hardened | Format validation, length limits, enum checking |
|
|
97
|
-
| **Error Handling** | ✅ Secure | No information disclosure, graceful degradation |
|
|
98
|
-
| **Performance Monitoring** | ✅ Active | Real-time metrics, automated logging |
|
|
99
|
-
| **Cache Security** | ✅ Implemented | TTL-based invalidation, memory management |
|
|
100
|
-
|
|
101
|
-
---
|
|
102
|
-
|
|
103
|
-
## 🚀 Immediate Deployment Benefits
|
|
104
|
-
|
|
105
|
-
### **Day 1 Impact**
|
|
106
|
-
1. **Accurate Vendor Assessment**: Domain validation prevents capability overestimation
|
|
107
|
-
2. **95% Faster Analysis**: Intelligent caching dramatically improves response times
|
|
108
|
-
3. **Production Stability**: Comprehensive error handling and performance monitoring
|
|
109
|
-
4. **Clear User Guidance**: Capability-focused language throughout all interfaces
|
|
110
|
-
|
|
111
|
-
### **Week 1 Adoption**
|
|
112
|
-
1. **Team Training**: Clear capability role methodology for security practitioners
|
|
113
|
-
2. **Process Integration**: Evidence-based vendor evaluation workflows
|
|
114
|
-
3. **Risk Reduction**: Realistic capability expectations prevent planning failures
|
|
115
|
-
4. **Quality Assurance**: Automated testing framework for ongoing validation
|
|
116
|
-
|
|
117
|
-
### **Month 1 Optimization**
|
|
118
|
-
1. **Strategic Alignment**: Vendor tools properly categorized by actual capability roles
|
|
119
|
-
2. **Budget Optimization**: Clear distinction between implementation vs enablement tools
|
|
120
|
-
3. **Process Automation**: Streamlined vendor assessment with validated capability mapping
|
|
121
|
-
4. **Compliance Confidence**: Evidence-based capability determinations for audits
|
|
122
|
-
|
|
123
|
-
---
|
|
124
|
-
|
|
125
|
-
## 📈 Success Metrics
|
|
126
|
-
|
|
127
|
-
### **Technical Success**: ✅ Achieved
|
|
128
|
-
- **Performance**: 95% improvement in repeated request speed
|
|
129
|
-
- **Reliability**: 100% test pass rate across all validation scenarios
|
|
130
|
-
- **Scalability**: Production-ready caching and memory management
|
|
131
|
-
- **Maintainability**: Clear capability-focused architecture
|
|
132
|
-
|
|
133
|
-
### **User Success**: ✅ Achieved
|
|
134
|
-
- **Clarity**: Capability roles clearly defined with domain requirements
|
|
135
|
-
- **Accuracy**: Domain validation prevents inappropriate capability claims
|
|
136
|
-
- **Efficiency**: Faster assessments with intelligent performance optimization
|
|
137
|
-
- **Confidence**: Evidence-based reasoning for every capability determination
|
|
138
|
-
|
|
139
|
-
### **Business Success**: ✅ Positioned
|
|
140
|
-
- **Risk Mitigation**: Realistic capability expectations reduce planning failures
|
|
141
|
-
- **Resource Optimization**: Clear tool categorization enables better procurement decisions
|
|
142
|
-
- **Process Efficiency**: Streamlined vendor evaluation with automated validation
|
|
143
|
-
- **Competitive Advantage**: Most advanced CIS Controls capability assessment tool available
|
|
144
|
-
|
|
145
|
-
---
|
|
146
|
-
|
|
147
|
-
## 🔄 Migration & Adoption
|
|
148
|
-
|
|
149
|
-
### **Existing Users**
|
|
150
|
-
- **✅ Backward Compatible**: All existing integrations continue to function
|
|
151
|
-
- **✅ Enhanced Capabilities**: Automatic benefit from performance improvements
|
|
152
|
-
- **✅ Progressive Adoption**: Can gradually adopt new `validate_vendor_mapping` tool
|
|
153
|
-
|
|
154
|
-
### **New Users**
|
|
155
|
-
- **✅ Intuitive Interface**: Capability-focused language is natural and clear
|
|
156
|
-
- **✅ Comprehensive Guidance**: Complete documentation and examples
|
|
157
|
-
- **✅ Production Ready**: Immediate deployment with confidence
|
|
158
|
-
|
|
159
|
-
### **Recommended Adoption Path**
|
|
160
|
-
1. **Install v1.1.3**: `npm install -g framework-mcp@1.1.3`
|
|
161
|
-
2. **Test Core Functionality**: Use `list_available_safeguards` to verify installation
|
|
162
|
-
3. **Explore Primary Tool**: Try `validate_vendor_mapping` for comprehensive capability validation
|
|
163
|
-
4. **Production Deployment**: Leverage performance optimizations for regular assessments
|
|
164
|
-
|
|
165
|
-
---
|
|
166
|
-
|
|
167
|
-
## 📞 Support & Next Steps
|
|
168
|
-
|
|
169
|
-
### **Immediate Support**
|
|
170
|
-
- **Documentation**: Complete README.md and CLAUDE.md provide full guidance
|
|
171
|
-
- **Examples**: Comprehensive usage examples in documentation
|
|
172
|
-
- **Test Framework**: Validation suite ensures expected behavior
|
|
173
|
-
- **Release Notes**: Detailed transformation explanation and migration guide
|
|
174
|
-
|
|
175
|
-
### **Community Resources**
|
|
176
|
-
- **GitHub Issues**: Bug reports and feature requests
|
|
177
|
-
- **GitHub Discussions**: Community Q&A and best practices
|
|
178
|
-
- **Social Updates**: [@cybermattlee](https://twitter.com/cybermattlee) for announcements
|
|
179
|
-
|
|
180
|
-
### **Future Development**
|
|
181
|
-
- **Continuous Integration**: Test framework ready for automated CI/CD
|
|
182
|
-
- **Performance Monitoring**: Real-time metrics collection for optimization opportunities
|
|
183
|
-
- **Community Feedback**: Enhancement requests based on production usage patterns
|
|
184
|
-
- **Framework Evolution**: CIS Controls updates and additional capability role refinements
|
|
185
|
-
|
|
186
|
-
---
|
|
187
|
-
|
|
188
|
-
## 🎊 Release Summary
|
|
189
|
-
|
|
190
|
-
**Framework MCP v1.1.3** successfully completes the most significant transformation in the project's history:
|
|
191
|
-
|
|
192
|
-
### **🎯 Mission Accomplished**
|
|
193
|
-
✅ **Paradigm Transformation**: Complete shift from compliance scoring to capability assessment
|
|
194
|
-
✅ **Production Deployment**: 95% performance improvement with intelligent caching and monitoring
|
|
195
|
-
✅ **Domain Validation**: Intelligent tool type detection with auto-downgrade protection
|
|
196
|
-
✅ **User Experience**: Capability-focused language across all interfaces and documentation
|
|
197
|
-
✅ **Quality Assurance**: 100% test coverage with comprehensive validation framework
|
|
198
|
-
✅ **Documentation**: Complete user guides, developer documentation, and migration resources
|
|
199
|
-
|
|
200
|
-
### **🌟 Deployment Status: PRODUCTION READY**
|
|
201
|
-
|
|
202
|
-
The Framework MCP v1.1.3 is now ready for immediate production deployment, providing the cybersecurity community with the most advanced vendor capability assessment tool available for the CIS Controls Framework.
|
|
203
|
-
|
|
204
|
-
**Upgrade Command**:
|
|
205
|
-
```bash
|
|
206
|
-
npm install -g framework-mcp@1.1.3
|
|
207
|
-
```
|
|
208
|
-
|
|
209
|
-
---
|
|
210
|
-
|
|
211
|
-
**✨ Framework MCP v1.1.3: Transforming vendor capability assessment for the cybersecurity community**
|
package/MCP_INTEGRATION_GUIDE.md
DELETED
|
@@ -1,285 +0,0 @@
|
|
|
1
|
-
# Framework MCP Integration Guide
|
|
2
|
-
|
|
3
|
-
## Claude Code MCP Integration
|
|
4
|
-
|
|
5
|
-
This guide shows how to integrate Framework MCP v1.4.0's Pure Data Provider architecture with Claude Code for LLM-driven CIS Controls capability analysis.
|
|
6
|
-
|
|
7
|
-
## Prerequisites
|
|
8
|
-
|
|
9
|
-
- **Claude Code CLI** installed and configured
|
|
10
|
-
- **Node.js 18+** for running the MCP server
|
|
11
|
-
- **Framework MCP** installed locally or from npm
|
|
12
|
-
|
|
13
|
-
## Installation Options
|
|
14
|
-
|
|
15
|
-
### Option 1: Install from npm (Recommended)
|
|
16
|
-
```bash
|
|
17
|
-
npm install -g framework-mcp
|
|
18
|
-
```
|
|
19
|
-
|
|
20
|
-
### Option 2: Build from Source
|
|
21
|
-
```bash
|
|
22
|
-
git clone https://github.com/therealcybermattlee/FrameworkMCP.git
|
|
23
|
-
cd FrameworkMCP
|
|
24
|
-
npm install
|
|
25
|
-
npm run build
|
|
26
|
-
```
|
|
27
|
-
|
|
28
|
-
## MCP Configuration
|
|
29
|
-
|
|
30
|
-
### Configure Claude Code MCP Settings
|
|
31
|
-
|
|
32
|
-
Add Framework MCP to your MCP configuration file:
|
|
33
|
-
|
|
34
|
-
**Location**: `~/.config/claude-code/mcp.json`
|
|
35
|
-
|
|
36
|
-
```json
|
|
37
|
-
{
|
|
38
|
-
"mcpServers": {
|
|
39
|
-
"framework-analyzer": {
|
|
40
|
-
"command": "node",
|
|
41
|
-
"args": ["/path/to/FrameworkMCP/dist/index.js"],
|
|
42
|
-
"env": {}
|
|
43
|
-
}
|
|
44
|
-
}
|
|
45
|
-
}
|
|
46
|
-
```
|
|
47
|
-
|
|
48
|
-
### For npm Global Installation
|
|
49
|
-
```json
|
|
50
|
-
{
|
|
51
|
-
"mcpServers": {
|
|
52
|
-
"framework-analyzer": {
|
|
53
|
-
"command": "framework-mcp",
|
|
54
|
-
"args": [],
|
|
55
|
-
"env": {}
|
|
56
|
-
}
|
|
57
|
-
}
|
|
58
|
-
}
|
|
59
|
-
```
|
|
60
|
-
|
|
61
|
-
## Verify Installation
|
|
62
|
-
|
|
63
|
-
Test your MCP integration:
|
|
64
|
-
|
|
65
|
-
```bash
|
|
66
|
-
claude-code "List all available CIS Control safeguards"
|
|
67
|
-
```
|
|
68
|
-
|
|
69
|
-
Expected response: List of 153 safeguards across 18 CIS Controls
|
|
70
|
-
|
|
71
|
-
## 🔧 Pure Data Provider Tools
|
|
72
|
-
|
|
73
|
-
### 1. get_safeguard_details (PRIMARY)
|
|
74
|
-
|
|
75
|
-
**Primary Tool**: Retrieve detailed CIS safeguard breakdown for LLM analysis
|
|
76
|
-
|
|
77
|
-
```bash
|
|
78
|
-
# Get comprehensive safeguard data for analysis
|
|
79
|
-
claude-code "Use get_safeguard_details with safeguard_id '1.1' and include_examples true"
|
|
80
|
-
|
|
81
|
-
# Research multiple related safeguards
|
|
82
|
-
claude-code "Use get_safeguard_details for safeguard 5.1 then explain the key requirements for account inventory management"
|
|
83
|
-
|
|
84
|
-
# Get data for comparative analysis
|
|
85
|
-
claude-code "Use get_safeguard_details for safeguard 6.3 then explain what makes this different from basic authentication controls"
|
|
86
|
-
```
|
|
87
|
-
|
|
88
|
-
### 2. list_available_safeguards
|
|
89
|
-
|
|
90
|
-
**Discovery Tool**: Explore available safeguards for planning and assessment
|
|
91
|
-
|
|
92
|
-
```bash
|
|
93
|
-
# Complete safeguard framework exploration
|
|
94
|
-
claude-code "Use list_available_safeguards"
|
|
95
|
-
|
|
96
|
-
# Targeted safeguard discovery
|
|
97
|
-
claude-code "Use list_available_safeguards then identify which safeguards are most relevant for identity management vendor assessment"
|
|
98
|
-
|
|
99
|
-
# Implementation Group planning
|
|
100
|
-
claude-code "Use list_available_safeguards then show me all IG1 safeguards for small business security planning"
|
|
101
|
-
```
|
|
102
|
-
|
|
103
|
-
## 📋 LLM-Driven Analysis Workflows
|
|
104
|
-
|
|
105
|
-
### Workflow 1: Comprehensive Vendor Assessment
|
|
106
|
-
```bash
|
|
107
|
-
# Step 1: Get authoritative safeguard data
|
|
108
|
-
claude-code "Use get_safeguard_details with safeguard_id '1.1' and include_examples true"
|
|
109
|
-
|
|
110
|
-
# Step 2: Perform LLM-driven analysis
|
|
111
|
-
claude-code "Based on the safeguard 1.1 requirements above, analyze Device42's capability: 'Our IT asset management platform provides comprehensive device discovery, detailed inventory tracking, and complete asset lifecycle management.' Determine capability role, provide confidence assessment, and recommend implementation approach."
|
|
112
|
-
|
|
113
|
-
# Step 3: Context-aware evaluation
|
|
114
|
-
claude-code "For our 500-employee technology company, assess whether Device42 meets our asset management needs for IG2 compliance. Consider deployment complexity and integration requirements."
|
|
115
|
-
```
|
|
116
|
-
|
|
117
|
-
### Workflow 2: Multi-Vendor Comparative Analysis
|
|
118
|
-
```bash
|
|
119
|
-
# Get safeguard requirements
|
|
120
|
-
claude-code "Use get_safeguard_details for safeguard 5.1 with examples"
|
|
121
|
-
|
|
122
|
-
# Comparative analysis with business context
|
|
123
|
-
claude-code "Using the safeguard 5.1 requirements above, compare these identity management solutions for our financial services organization: 1) Microsoft Entra ID: 'Complete identity management with automated provisioning and compliance reporting' 2) Okta: 'Cloud identity platform with advanced analytics and risk assessment' 3) Ping Identity: 'Enterprise SSO with detailed audit trails and governance workflows'. Rank by compliance strength and implementation fit."
|
|
124
|
-
```
|
|
125
|
-
|
|
126
|
-
### Workflow 3: Gap Analysis and Roadmap Planning
|
|
127
|
-
```bash
|
|
128
|
-
# Research multiple related safeguards
|
|
129
|
-
claude-code "Use get_safeguard_details for safeguard 5.1, then get details for 5.2, 5.3, and 5.4"
|
|
130
|
-
|
|
131
|
-
# Comprehensive gap analysis
|
|
132
|
-
claude-code "Based on the account management safeguards 5.1-5.4 above, analyze our current IAM capability: Azure AD basic with manual quarterly reviews. Identify gaps, prioritize improvements, and create 12-month implementation roadmap with budget estimates."
|
|
133
|
-
```
|
|
134
|
-
|
|
135
|
-
### Workflow 4: Risk-Based Assessment
|
|
136
|
-
```bash
|
|
137
|
-
# Get network monitoring safeguards
|
|
138
|
-
claude-code "Use get_safeguard_details for safeguard 13.1, then get details for 13.3 and 13.6"
|
|
139
|
-
|
|
140
|
-
# Risk-focused analysis
|
|
141
|
-
claude-code "Using the network monitoring safeguards above, our financial services organization faces advanced persistent threats and ransomware. Analyze Microsoft Defender for Endpoint's network capabilities: 'Real-time endpoint detection, behavioral analytics, automated response, and network traffic monitoring.' Prioritize safeguards by threat mitigation effectiveness and recommend complementary tools."
|
|
142
|
-
```
|
|
143
|
-
|
|
144
|
-
## 🚀 Advanced LLM Analysis Patterns
|
|
145
|
-
|
|
146
|
-
### Custom Methodology Applications
|
|
147
|
-
```bash
|
|
148
|
-
# Compliance-focused assessment
|
|
149
|
-
claude-code "Use get_safeguard_details for safeguard 8.2. Apply PCI-DSS Level 1 compliance methodology to analyze Splunk Enterprise Security's logging capability: 'Centralized log management, real-time monitoring, compliance reporting, and data retention policies.' Focus on regulatory alignment and audit readiness."
|
|
150
|
-
|
|
151
|
-
# Technology integration assessment
|
|
152
|
-
claude-code "Use get_safeguard_details for safeguard 16.1. Our DevOps pipeline uses Azure DevOps, GitHub, and Kubernetes. Analyze SonarQube's capability: 'Static application security testing with CI/CD integration and policy enforcement.' Recommend implementation approach and configuration."
|
|
153
|
-
|
|
154
|
-
# Strategic planning
|
|
155
|
-
claude-code "Use list_available_safeguards to identify all Implementation Group 1 safeguards, then create vendor selection strategy for a 200-employee company with $500K security budget. Prioritize by business impact and implementation complexity."
|
|
156
|
-
```
|
|
157
|
-
|
|
158
|
-
### Data Validation Examples
|
|
159
|
-
```bash
|
|
160
|
-
# Invalid safeguard ID
|
|
161
|
-
claude-code "Use get_safeguard_details with safeguard_id '99.99'"
|
|
162
|
-
# Expected: Error with available safeguards suggestion
|
|
163
|
-
|
|
164
|
-
# Missing required parameter
|
|
165
|
-
claude-code "Use get_safeguard_details without safeguard_id"
|
|
166
|
-
# Expected: Error specifying required parameter
|
|
167
|
-
|
|
168
|
-
# Valid request with detailed response
|
|
169
|
-
claude-code "Use get_safeguard_details with safeguard_id '1.1' and include_examples true"
|
|
170
|
-
# Expected: Complete safeguard breakdown with implementation examples
|
|
171
|
-
```
|
|
172
|
-
|
|
173
|
-
## 📊 Understanding Pure Data Provider Responses
|
|
174
|
-
|
|
175
|
-
### Detailed Safeguard Data Response
|
|
176
|
-
```json
|
|
177
|
-
{
|
|
178
|
-
"id": "1.1",
|
|
179
|
-
"title": "Establish and Maintain Detailed Enterprise Asset Inventory",
|
|
180
|
-
"description": "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets...",
|
|
181
|
-
"implementationGroup": "IG1",
|
|
182
|
-
"governanceElements": [
|
|
183
|
-
"Maintain detailed inventory procedures",
|
|
184
|
-
"Establish asset classification standards",
|
|
185
|
-
"Define asset ownership responsibilities"
|
|
186
|
-
],
|
|
187
|
-
"coreRequirements": [
|
|
188
|
-
"Automated discovery of enterprise assets",
|
|
189
|
-
"Detailed hardware and software inventory",
|
|
190
|
-
"Asset ownership and location tracking"
|
|
191
|
-
],
|
|
192
|
-
"subTaxonomicalElements": [
|
|
193
|
-
"Device identification and classification",
|
|
194
|
-
"Software inventory and licensing",
|
|
195
|
-
"Network topology mapping"
|
|
196
|
-
],
|
|
197
|
-
"implementationSuggestions": [
|
|
198
|
-
"Deploy automated discovery tools",
|
|
199
|
-
"Implement CMDB solutions",
|
|
200
|
-
"Regular inventory audits and updates"
|
|
201
|
-
]
|
|
202
|
-
}
|
|
203
|
-
```
|
|
204
|
-
|
|
205
|
-
### LLM Analysis Response Pattern
|
|
206
|
-
```
|
|
207
|
-
CAPABILITY ASSESSMENT: ServiceNow CMDB vs Safeguard 1.1
|
|
208
|
-
|
|
209
|
-
DETERMINATION: FULL + GOVERNANCE + VALIDATES
|
|
210
|
-
CONFIDENCE: 88%
|
|
211
|
-
|
|
212
|
-
EVIDENCE ANALYSIS:
|
|
213
|
-
✅ Core Requirements: Comprehensive CMDB with automated discovery
|
|
214
|
-
✅ Governance Elements: Detailed procedures and asset classification
|
|
215
|
-
✅ Sub-Elements: Complete device and software inventory tracking
|
|
216
|
-
✅ Implementation: Strong technical capabilities and proven enterprise deployment
|
|
217
|
-
|
|
218
|
-
REASONING: ServiceNow CMDB demonstrates strong alignment with all core requirements and provides additional governance and validation capabilities through workflow automation and compliance reporting.
|
|
219
|
-
|
|
220
|
-
RECOMMENDATIONS: Excellent foundation for IG2-IG3 implementation. Consider integration with security tools for enhanced asset risk assessment.
|
|
221
|
-
```
|
|
222
|
-
|
|
223
|
-
## 🔍 Troubleshooting
|
|
224
|
-
|
|
225
|
-
### Common MCP Issues
|
|
226
|
-
|
|
227
|
-
**MCP Server Not Found:**
|
|
228
|
-
```bash
|
|
229
|
-
# Check Claude Code MCP configuration
|
|
230
|
-
cat ~/.config/claude-code/mcp.json
|
|
231
|
-
|
|
232
|
-
# Verify file paths are absolute
|
|
233
|
-
which node
|
|
234
|
-
ls -la /path/to/FrameworkMCP/dist/index.js
|
|
235
|
-
```
|
|
236
|
-
|
|
237
|
-
**Permission Denied:**
|
|
238
|
-
```bash
|
|
239
|
-
chmod +x /path/to/FrameworkMCP/dist/index.js
|
|
240
|
-
```
|
|
241
|
-
|
|
242
|
-
**Module Not Found:**
|
|
243
|
-
```bash
|
|
244
|
-
cd /path/to/FrameworkMCP
|
|
245
|
-
npm install
|
|
246
|
-
npm run build
|
|
247
|
-
```
|
|
248
|
-
|
|
249
|
-
**Tool Not Available:**
|
|
250
|
-
```bash
|
|
251
|
-
# Restart Claude Code after MCP configuration changes
|
|
252
|
-
# Verify MCP server is running in Claude Code logs
|
|
253
|
-
```
|
|
254
|
-
|
|
255
|
-
### Verification Commands
|
|
256
|
-
|
|
257
|
-
```bash
|
|
258
|
-
# Test MCP connection
|
|
259
|
-
claude-code "Use list_available_safeguards to verify Framework MCP is working"
|
|
260
|
-
|
|
261
|
-
# Test all 4 tools
|
|
262
|
-
claude-code "Test Framework MCP by using each tool: list_available_safeguards, get_safeguard_details for 1.1, analyze_vendor_response for a test vendor, and validate_vendor_mapping for a test claim"
|
|
263
|
-
|
|
264
|
-
# Performance test
|
|
265
|
-
claude-code "Use validate_vendor_mapping 5 times with different vendors to test caching performance"
|
|
266
|
-
```
|
|
267
|
-
|
|
268
|
-
## 🎉 Success Criteria
|
|
269
|
-
|
|
270
|
-
Your MCP integration is successful when:
|
|
271
|
-
|
|
272
|
-
- ✅ `list_available_safeguards` returns 153 safeguards
|
|
273
|
-
- ✅ `get_safeguard_details` returns detailed safeguard breakdowns
|
|
274
|
-
- ✅ `analyze_vendor_response` determines appropriate capability roles
|
|
275
|
-
- ✅ `validate_vendor_mapping` performs evidence-based validation with domain validation
|
|
276
|
-
- ✅ Auto-downgrade protection works for domain mismatches
|
|
277
|
-
- ✅ All responses include confidence scores and detailed reasoning
|
|
278
|
-
|
|
279
|
-
---
|
|
280
|
-
|
|
281
|
-
**🔗 Related Documentation**
|
|
282
|
-
- [Main README](README.md) - Project overview and installation
|
|
283
|
-
- [Deployment Guide](DEPLOYMENT_GUIDE.md) - Cloud deployment options
|
|
284
|
-
- [Copilot Integration](COPILOT_INTEGRATION.md) - Microsoft Copilot setup
|
|
285
|
-
- [Example Usage](examples/example-usage.md) - Detailed tool examples
|
|
@@ -1,190 +0,0 @@
|
|
|
1
|
-
# Migration Guide: Framework MCP v1.4.0
|
|
2
|
-
|
|
3
|
-
## Pure Data Provider Architecture Transformation
|
|
4
|
-
|
|
5
|
-
Framework MCP v1.4.0 introduces a **Pure Data Provider architecture** that transforms how vendor capability analysis is performed. This guide helps existing users migrate to the new approach and understand the enhanced capabilities.
|
|
6
|
-
|
|
7
|
-
## 🎯 Architectural Benefits
|
|
8
|
-
|
|
9
|
-
### Before v1.4.0: Hardcoded Analysis Engine
|
|
10
|
-
- **Limited Flexibility**: Fixed analysis logic with preset validation rules
|
|
11
|
-
- **Rigid Assessment**: Single approach to capability determination
|
|
12
|
-
- **Complex Configuration**: Multiple analysis parameters and validation settings
|
|
13
|
-
- **Opaque Processing**: Analysis logic hidden within the tool
|
|
14
|
-
|
|
15
|
-
### After v1.4.0: Pure Data Provider + LLM Analysis
|
|
16
|
-
- **Unlimited Flexibility**: LLMs can apply any analysis approach or methodology
|
|
17
|
-
- **Context-Aware Assessment**: Analysis considers industry, risk profile, and specific requirements
|
|
18
|
-
- **Simplified Interface**: Clean data provision without analysis complexity
|
|
19
|
-
- **Transparent Process**: Analysis reasoning fully visible and customizable
|
|
20
|
-
|
|
21
|
-
## 🔄 Migration Overview
|
|
22
|
-
|
|
23
|
-
**KEY CHANGE**: Framework MCP no longer performs analysis - it provides authoritative CIS Controls data for LLMs to analyze with sophisticated, context-aware intelligence.
|
|
24
|
-
|
|
25
|
-
### Tools Removed
|
|
26
|
-
- ❌ `analyze_vendor_response` - Analysis logic moved to LLM capability
|
|
27
|
-
- ❌ `validate_vendor_mapping` - Validation logic moved to LLM intelligence
|
|
28
|
-
|
|
29
|
-
### Tools Retained (Enhanced Data Focus)
|
|
30
|
-
- ✅ `get_safeguard_details` - **Enhanced** with rich, structured CIS data
|
|
31
|
-
- ✅ `list_available_safeguards` - Complete framework coverage
|
|
32
|
-
|
|
33
|
-
## 📋 Step-by-Step Migration
|
|
34
|
-
|
|
35
|
-
### Step 1: Update Framework MCP
|
|
36
|
-
```bash
|
|
37
|
-
npm update -g framework-mcp
|
|
38
|
-
# Or reinstall to ensure latest version
|
|
39
|
-
npm uninstall -g framework-mcp && npm install -g framework-mcp
|
|
40
|
-
```
|
|
41
|
-
|
|
42
|
-
### Step 2: Replace Analysis Calls with LLM-Driven Patterns
|
|
43
|
-
|
|
44
|
-
#### OLD v1.3.7 Approach (Hardcoded Analysis)
|
|
45
|
-
```bash
|
|
46
|
-
claude-code "Use analyze_vendor_response with vendor_name 'Microsoft Defender', safeguard_id '5.1', and response_text 'We provide centralized account management with automated provisioning'"
|
|
47
|
-
```
|
|
48
|
-
|
|
49
|
-
#### NEW v1.4.0 Approach (LLM-Driven Analysis)
|
|
50
|
-
```bash
|
|
51
|
-
claude-code "Get safeguard details for 5.1, then analyze this vendor response against those requirements: Microsoft Defender - 'We provide centralized account management with automated provisioning'. Assess capability role considering enterprise context and provide confidence rating."
|
|
52
|
-
```
|
|
53
|
-
|
|
54
|
-
### Step 3: Leverage Enhanced LLM Capabilities
|
|
55
|
-
|
|
56
|
-
The new approach enables sophisticated analysis patterns:
|
|
57
|
-
|
|
58
|
-
#### Risk-Based Assessment
|
|
59
|
-
```bash
|
|
60
|
-
claude-code "Get details for safeguard 8.2. For a high-risk financial services environment, analyze SentinelOne's response: 'We collect endpoint telemetry and forward logs to SIEM platforms.' Consider regulatory requirements and determine appropriate capability role."
|
|
61
|
-
```
|
|
62
|
-
|
|
63
|
-
#### Comparative Analysis
|
|
64
|
-
```bash
|
|
65
|
-
claude-code "Get safeguard 1.1 details. Compare these vendor capabilities and rank by implementation completeness: 1) Lansweeper: 'Complete network discovery and inventory' 2) ServiceNow: 'CMDB with manual asset entry' 3) Microsoft Intune: 'Managed device tracking only'"
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
#### Multi-Safeguard Assessment
|
|
69
|
-
```bash
|
|
70
|
-
claude-code "Get details for safeguards 5.1, 5.2, and 5.3. Analyze how CyberArk PAM addresses these account management requirements and identify any gaps in coverage."
|
|
71
|
-
```
|
|
72
|
-
|
|
73
|
-
## 🚀 Advanced LLM Analysis Patterns
|
|
74
|
-
|
|
75
|
-
### 1. Compliance-Focused Analysis
|
|
76
|
-
```bash
|
|
77
|
-
claude-code "Get safeguard 11.1 details. For SOX compliance requirements, assess Veeam Backup's capability: 'Automated daily backups with 99.9% recovery success rate and quarterly recovery testing.' Focus on governance and validation aspects."
|
|
78
|
-
```
|
|
79
|
-
|
|
80
|
-
### 2. Technology-Specific Assessment
|
|
81
|
-
```bash
|
|
82
|
-
claude-code "Get details for safeguard 16.3. From a DevSecOps perspective, analyze GitHub Advanced Security: 'Static analysis, dependency scanning, and secret detection in CI/CD pipeline.' Consider modern development workflows."
|
|
83
|
-
```
|
|
84
|
-
|
|
85
|
-
### 3. Implementation Planning
|
|
86
|
-
```bash
|
|
87
|
-
claude-code "Get safeguard 13.1 details. Our organization uses Splunk SIEM. Analyze how this addresses network monitoring requirements and recommend complementary tools for complete coverage."
|
|
88
|
-
```
|
|
89
|
-
|
|
90
|
-
## 🎨 Benefits of LLM-Driven Analysis
|
|
91
|
-
|
|
92
|
-
### Context Awareness
|
|
93
|
-
- **Industry Considerations**: LLMs understand sector-specific requirements
|
|
94
|
-
- **Risk Profiles**: Analysis adapts to organizational risk tolerance
|
|
95
|
-
- **Technology Stack**: Assessment considers existing tool ecosystems
|
|
96
|
-
|
|
97
|
-
### Analytical Flexibility
|
|
98
|
-
- **Multiple Methodologies**: Apply different assessment frameworks
|
|
99
|
-
- **Custom Criteria**: Focus on organization-specific priorities
|
|
100
|
-
- **Comparative Analysis**: Evaluate multiple vendors simultaneously
|
|
101
|
-
|
|
102
|
-
### Enhanced Intelligence
|
|
103
|
-
- **Natural Language**: Complex analysis requests in plain English
|
|
104
|
-
- **Reasoning Transparency**: Full explanation of assessment logic
|
|
105
|
-
- **Adaptive Questioning**: LLMs can ask clarifying questions
|
|
106
|
-
|
|
107
|
-
## 📊 Migration Examples
|
|
108
|
-
|
|
109
|
-
### Example 1: Basic Capability Assessment
|
|
110
|
-
**Old Method:**
|
|
111
|
-
```bash
|
|
112
|
-
# Required specific tool call format
|
|
113
|
-
claude-code "Use analyze_vendor_response..."
|
|
114
|
-
```
|
|
115
|
-
|
|
116
|
-
**New Method:**
|
|
117
|
-
```bash
|
|
118
|
-
claude-code "Get safeguard 6.8 details and assess whether Okta's MFA solution constitutes FULL or FACILITATES capability for this requirement."
|
|
119
|
-
```
|
|
120
|
-
|
|
121
|
-
### Example 2: Validation Assessment
|
|
122
|
-
**Old Method:**
|
|
123
|
-
```bash
|
|
124
|
-
# Fixed validation logic
|
|
125
|
-
claude-code "Use validate_vendor_mapping..."
|
|
126
|
-
```
|
|
127
|
-
|
|
128
|
-
**New Method:**
|
|
129
|
-
```bash
|
|
130
|
-
claude-code "Get safeguard 12.4 details. This vendor claims FULL capability: 'We monitor all network traffic and identify unauthorized devices.' Validate this claim and provide evidence-based assessment."
|
|
131
|
-
```
|
|
132
|
-
|
|
133
|
-
### Example 3: Multi-Vendor Comparison
|
|
134
|
-
**Old Method:**
|
|
135
|
-
```bash
|
|
136
|
-
# Required multiple separate calls
|
|
137
|
-
claude-code "Use analyze_vendor_response..." # Vendor A
|
|
138
|
-
claude-code "Use analyze_vendor_response..." # Vendor B
|
|
139
|
-
```
|
|
140
|
-
|
|
141
|
-
**New Method:**
|
|
142
|
-
```bash
|
|
143
|
-
claude-code "Get safeguard 2.1 details. Compare these software inventory solutions and recommend the best fit for our 500-employee company: 1) Lansweeper 2) Device42 3) ManageEngine AssetExplorer. Consider deployment complexity and feature completeness."
|
|
144
|
-
```
|
|
145
|
-
|
|
146
|
-
## 🔧 Technical Changes
|
|
147
|
-
|
|
148
|
-
### HTTP API Updates
|
|
149
|
-
- **Removed**: `/api/analyze-vendor-response` endpoint
|
|
150
|
-
- **Removed**: `/api/validate-vendor-mapping` endpoint
|
|
151
|
-
- **Enhanced**: Data endpoints optimized for LLM consumption
|
|
152
|
-
- **Maintained**: Full OpenAPI compatibility for Microsoft Copilot
|
|
153
|
-
|
|
154
|
-
### MCP Protocol Changes
|
|
155
|
-
- **Simplified**: 2 core tools instead of 4 complex tools
|
|
156
|
-
- **Enhanced**: Rich data provision with structured safeguard information
|
|
157
|
-
- **Optimized**: Performance improvements for data retrieval
|
|
158
|
-
|
|
159
|
-
## 📚 Common Migration Questions
|
|
160
|
-
|
|
161
|
-
### Q: Will my existing Copilot connectors work?
|
|
162
|
-
**A**: Yes, but update to use data endpoints. The enhanced LLM analysis provides better results than hardcoded validation.
|
|
163
|
-
|
|
164
|
-
### Q: How do I replicate my custom validation logic?
|
|
165
|
-
**A**: Describe your validation criteria to the LLM along with the safeguard data. LLMs can apply complex, custom logic more effectively than preset rules.
|
|
166
|
-
|
|
167
|
-
### Q: Can I still get confidence scores?
|
|
168
|
-
**A**: Yes, LLMs can provide confidence assessments with detailed reasoning - often more nuanced than algorithmic scores.
|
|
169
|
-
|
|
170
|
-
### Q: What about bulk vendor analysis?
|
|
171
|
-
**A**: LLMs excel at processing multiple vendors simultaneously. Upload vendor data and request comparative analysis across all entries.
|
|
172
|
-
|
|
173
|
-
## 🎯 Next Steps
|
|
174
|
-
|
|
175
|
-
1. **Update Framework MCP** to v1.4.0
|
|
176
|
-
2. **Review existing analysis workflows** and identify LLM-driven alternatives
|
|
177
|
-
3. **Experiment with enhanced patterns** like comparative analysis and context-aware assessment
|
|
178
|
-
4. **Update documentation** and training materials for new approach
|
|
179
|
-
5. **Leverage LLM flexibility** to create more sophisticated vendor evaluations
|
|
180
|
-
|
|
181
|
-
## 📞 Support
|
|
182
|
-
|
|
183
|
-
If you encounter migration challenges:
|
|
184
|
-
- 📧 **Issues**: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
|
|
185
|
-
- 📖 **Documentation**: [Enhanced Usage Patterns](examples/llm-analysis-patterns.md)
|
|
186
|
-
- 💬 **Discussions**: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
|
|
187
|
-
|
|
188
|
-
---
|
|
189
|
-
|
|
190
|
-
**The Pure Data Provider architecture transforms Framework MCP from a rigid analysis tool into a flexible foundation for sophisticated, LLM-powered vendor capability assessment.**
|